From e67c5e1fe7110ef32eadd848e0a4070f1d0684fd Mon Sep 17 00:00:00 2001
From: Jamkris <dltmdgus1412@gmail.com>
Date: Wed, 13 May 2026 11:23:05 +0900
Subject: [PATCH] docs: record ECC backport in 2026-05-12 sync round log
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

While porting 0dcde13 (block-no-verify shell-words rewrite) in
#68, CodeRabbit's round-3 review surfaced two real bypass holes
that EGC inherited verbatim from ECC:

- core.hooksPath case-sensitivity bypass (critical)
- -tn false positive (major)

Both fixes shipped to EGC in #68 (commit fbf7908). Also
backported upstream to ECC as affaan-m/everything-claude-code#1843
per the dual-PR pattern in CONTRIBUTING.md — first contribution
flowing the other direction from this sync round.

Audit log updated so the provenance is on the record.
---
 upstream/sync-rounds/2026-05-12.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/upstream/sync-rounds/2026-05-12.md b/upstream/sync-rounds/2026-05-12.md
index c7d66f0..52a7ba4 100644
--- a/upstream/sync-rounds/2026-05-12.md
+++ b/upstream/sync-rounds/2026-05-12.md
@@ -226,3 +226,12 @@ PRs 1–4 can land in parallel. PR 5 must be last.
 
 - The 3 deferred net-new skills (`tinystruct-patterns`, `ios-icon-gen`, `flox-environments`). Open as a separate "ECC net-new skills" round once round 2 lands.
 - The schema split between `lastSyncedSha` and `lastEvaluatedSha` (would change the validator + drift workflow). Defer to its own PR.
+
+## Backports to upstream ECC
+
+While porting `0dcde13` (block-no-verify shell-words rewrite) in PR [#68](https://github.com/Jamkris/everything-gemini-code/pull/68), CodeRabbit's round-3 review surfaced two real bypass holes in the upstream rewrite that EGC inherited verbatim:
+
+- **`core.hooksPath` case-sensitivity bypass** (critical) — `git -c core.hookspath=…` slipped past the guard because the comparison was case-sensitive while Git config keys are case-insensitive.
+- **`-tn` false positive** (major) — `COMMIT_SHORT_OPTIONS_WITH_VALUE` was missing `'t'`, so `git commit -tn templatefile` was falsely blocked as a `-n` (no-verify) bypass.
+
+Both fixes shipped to EGC in [#68](https://github.com/Jamkris/everything-gemini-code/pull/68) (commit `fbf7908`). They were also backported upstream to ECC as [`affaan-m/everything-claude-code#1843`](https://github.com/affaan-m/everything-claude-code/pull/1843) per the dual-PR pattern in `CONTRIBUTING.md`. This is the first contribution flowing the other direction from EGC's sync rounds.